Security Policy Generation Based on Snapshots of Similar Virtual Machines

1. A method comprising: monitoring a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; for each virtual machine of the set of monitored virtual machines, determining a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; determining a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions: (i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack; determining a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions: (i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; and analyzing the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following: (i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack; wherein the comparison of the snapshot deltas is based only on significant snapshot deltas; wherein the analysis of the snapshot deltas includes: determining an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and communicating that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack.

2. The method of claim 1 wherein the analysis of the snapshot deltas includes: determining an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of virtual machine(s); and communicating that the first union snapshot deltas may reflect an effective defense to the attack.

3. The method of claim 1 wherein the analysis of the snapshot deltas includes: determining an identity of second intersection snapshot deltas that occur in every virtual machine of the second subset of virtual machine(s); and communicating that the second intersection snapshot deltas are relatively likely to lead to a vulnerability to the attack.

4. The method of claim 1 wherein the analysis of the snapshot deltas includes: determining an identity of second union snapshot deltas that occur in at least one virtual machine of the second subset of virtual machine(s); and communicating that the second union snapshot deltas may cause a vulnerability to the attack.

5. The method of claim 1 further comprising: identifying a fix based, at least in part, upon the determination of unhealthy snapshot deltas and/or healthy snapshot deltas; and applying the fix to at least one VM to: (i) prevent at least one vulnerability(ies), in the at least one VM, with respect to a malicious attack, and/or (ii) protect the at least one VM from failure due to a non-malicious workload spike.

6. A computer program product comprising a computer readable storage medium having stored thereon: first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machine in the set of virtual machines; second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots; third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions: (i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack; fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions: (i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack; and fifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following: (i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack; wherein the comparison of the snapshot deltas is based only on significant snapshot deltas; wherein the fifth program instructions are further programmed to: determine an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and communicate that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack.

7. The product of claim 6 wherein the fifth program instructions are further programmed to: determine an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of virtual machine(s); and communicate that the first union snapshot deltas may reflect an effective defense to the attack.

8. The product of claim 6 wherein the fifth program instructions are further programmed to: determine an identity of second intersection snapshot deltas that occur in every virtual machine of the second subset of virtual machine(s); and communicate that the second intersection snapshot deltas are relatively likely to lead to a vulnerability to the attack.

9. The product of claim 6 wherein the fifth program instructions are further programmed to: determine an identity of second union snapshot deltas that occur in at least one virtual machine of the second subset of virtual machine(s); and communicate that the second union snapshot deltas may cause a vulnerability to the attack.

10. The product of claim 6 wherein the fifth program instructions are further programmed to: determine an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); communicate that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack; determine an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of virtual machine(s); communicate that the first union snapshot deltas may reflect an effective defense to the attack; determine an identity of second intersection snapshot deltas that occur in every virtual machine of the second subset of virtual machine(s); communicate that the second intersection snapshot deltas are relatively likely to lead to a vulnerability to the attack; determine an identity of second union snapshot deltas that occur in at least one virtual machine of the second subset of virtual machine(s); and communicate that the second union snapshot deltas may cause a vulnerability to the attack.

11. A computer system comprising: a processor(s) set; and a computer readable storage medium; wherein: the processor set is structured, located, connected and/or programmed to run program instructions stored on the computer readable storage medium; and the program instructions include: first program instructions programmed to monitor a set of monitored virtual machines by (i) running the virtual machines to receive and process data, and (ii) intermittently taking snapshots of each virtual machines in the set of virtual machines, second program instructions programmed to, for each virtual machine of the set of monitored virtual machines, determine a set of snapshot deltas, with each snapshot delta respectively corresponding to changes between pairs of temporally adjacent snapshots, third program instructions programmed to determine a first subset of virtual machines from the set of monitored virtual machines, where each virtual machine in the first subset of virtual machines meets the following conditions: (i) the virtual machine has been subject to an attack, and (ii) the virtual machine has not been adversely affected by the attack, fourth program instructions programmed to determine a second subset of virtual machines from the set of virtual machines, where each virtual machine in the second subset of virtual machines meets the following conditions: (i) the virtual machine has been subject to an attack, and (ii) the virtual machine has been adversely affected by the attack, and fifth program instructions programmed to analyze the set(s) of snapshot deltas from the first subset of virtual machine(s) and/or the set(s) of snapshot deltas from the second subset of virtual machine(s) to determine at least one of the following: (i) unhealthy snapshot deltas that tend to occur in only virtual machines that are adversely affected by the attack, and/or (ii) healthy snapshot deltas that tend to occur only in machines that are subject to the attack but are not adversely affected by the attack; wherein the comparison of the snapshot deltas is based only on significant snapshot deltas; wherein the fifth program instructions are further programmed to: determine an identity of first intersection snapshot deltas that occur in every virtual machine of the first subset of virtual machine(s); and communicate that the first intersection snapshot deltas are relatively likely to reflect an effective defense to the attack.

12. The system of claim 11 wherein the fifth program instructions are further programmed to: determine an identity of first union snapshot deltas that occur in at least one virtual machine of the first subset of virtual machine(s); and communicate that the first union snapshot deltas may reflect an effective defense to the attack.

13. The system of claim 11 wherein the fifth program instructions are further programmed to: determine an identity of second intersection snapshot deltas that occur in every virtual machine of the second subset of virtual machine(s); and communicate that the second intersection snapshot deltas are relatively likely to lead to a vulnerability to the attack.

14. The system of claim 11 wherein the fifth program instructions are further programmed to: determine an identity of second union snapshot deltas that occur in at least one virtual machine of the second subset of virtual machine(s); and communicate that the second union snapshot deltas may cause a vulnerability to the attack.